b' U.S. DEPARTMENT OF COMMERCE\n           Office of Inspector General\n\n\n\n\n               PUBLIC\n              RELEASE\n\n\nNATIONAL INSTITUTE OF STANDARDS\n                AND TECHNOLOGY\n\n        NIST\xe2\x80\x99s Policy of Allowing Informal\n          Collaborations with Non-Federal\n  Researchers Requires Additional Controls\n\n         Inspection Report No. IPE-10854 / September 1998\n\n\n\n\n             Office of Inspections and Program Evaluations\n\x0cSeptember 30, 1998\n\n\nMEMORANDUM FOR:                   Raymond G. Kammer\n                                  Director\n                                  National Institute of Standards and Technology\n\nFROM:                             Johnnie E. Frazier\n                                  Acting Inspector General\n\nSUBJECT:                          Final Report: NIST\xe2\x80\x99s Policy of Allowing Informal Collaborations\n                                  with Non-Federal Researchers Requires Additional Controls\n                                  (IPE-10854)\n\nThis is our final report examining the National Institute of Standards and Technology\xe2\x80\x99s (NIST)\nmanagement of interagency and other special agreements. This report is part of a series of reports\nto be issued on our Department-wide review of the various types of interagency and other special\nagreements that the bureaus enter into with federal and non-federal parties. These agreements\ninvolve performing work for others (reimbursable agreements), acquiring work from others\n(obligation agreements), or coordinating complementary programs without the transfer of funds\n(memoranda of understanding or agreement). We also tried to identify where Commerce bureaus\nshould be using agreements to better define their activities with other parties.\n\nOn a positive note, NIST has established and maintains a reliable process, with the necessary\npolicies and procedures, to monitor its interagency and other special agreements.1 Based on\nlimited field work performed from October 1997 through January 1998 at the National Institute of\nStandards and Technology (NIST) operations in Gaithersburg, Maryland, and Boulder, Colorado,\nwe determined that NIST\xe2\x80\x99s agreement processes and procedures compared favorably with other\nCommerce bureaus. For example, NIST has a comprehensive set of guidelines for processing\nagreements. Sections of its administrative manual are currently being updated and its intranet site\nincludes sample agreements, contact names, links to relevant regulations and laws, and decision\ntrees to help program officials decide which agreements are appropriate. NIST also maintains\ndatabases of its agreements that provide information such as party, dollar amounts, and relevant\ndates.\n\nHowever, we later identified one issue that warrants management attention\xe2\x80\x94NIST\xe2\x80\x99s policy of\nallowing informal collaborations with non-federal researchers without a signed, written\n\n\n\n\n        1\n         Because of work recently conducted by our Office of Audits, we excluded NIST\xe2\x80\x99s cooperative research\nand development agreements and guest researcher agreements from the scope of this review.\n\x0cagreement. This portion of our review was conducted from March 24, 1998, through April 24,\n1998.\n\nWith few exceptions, a written agreement is preferable when non-federal researchers work in\nNIST facilities. NIST\xe2\x80\x99s current policy of requiring a written agreement only when a non-federal\nresearcher works at NIST for more than 10 days during a calendar year does not violate federal\nlaws or regulations, but there are several inherent risks associated with this policy. To provide\nmore protection for proprietary information and government property, we believe that at a\nminimum, NIST should keep a log of all short-term visiting researchers who are conducting\nsubstantive work in NIST facilities without the benefit of a written agreement with NIST.\n\nNIST\xe2\x80\x99s response to our draft report concurred with our finding and recommendation and\nindicates that NIST is taking preliminary actions to address our concern. A copy of the response\nis included as an attachment to this report.\n\nPlease provide us with an action plan within 60 days addressing the inspection recommendation,\nincluding when your action will be completed, in accordance with the procedures described in\nDAO 213-5. We appreciate the cooperation and courtesies extended by your staff during our\ninspection.\n\nBackground\n\nNIST\xe2\x80\x99s authorizing legislation directs it to work with U.S. industry and academia through four\nprograms: (1) measurement and standards research and development, (2) the Advanced\nTechnology Program, (3) the Manufacturing Extension Partnership, and (4) the Malcolm\nBaldridge National Quality Award. These programs involve working extensively with outside\nparties, sharing information and resources, and/or making scientific results available to the public.\nNIST uses several forms of written agreements to encourage and formalize its collaborations with\nother parties, including grants, contracts, cooperative research and development agreements,\nguest researcher agreements, and interagency agreements. NIST also informally works with\noutside parties without any written agreement.\n\nAccording to NIST\xe2\x80\x99s policy, a written agreement is not required when a non-federal researcher\nworks in NIST facilities for 10 days or less during a calendar year. This report is concerned only\nwith those non-federal visitors who qualify under this rule, by working for 10 days or less at NIST\nwithout a written agreement. These visiting researchers may work in NIST facilities for several\ndays and engage in a broad array of work. Some visitors attend conferences or have brief\nmeetings with NIST personnel without doing any work in a laboratory, while others perform\nsubstantive laboratory work. Furthermore, some visitors may meet with NIST personnel in an\noffice and then have a brief tour of a laboratory. We are primarily concerned with visiting\nresearchers who are performing substantive laboratory work rather than with those visiting offices\nor simply touring the facilities. With some limited exceptions, NIST does not keep any records of\nthese visiting researchers; therefore, we could not determine how many visited NIST in fiscal year\n1997.\n\n\n                                                  2\n\x0cAdditional Controls Are Necessary to Better Address\nthe Risks of Not Always Requiring Written Agreements\n\nAs part of a 1995 internal review of commercializing technology, NIST considered the strengths\nand weaknesses of not always requiring written agreements with visiting researchers. Weighing\nthe risks against its mission requirements, NIST decided to retain its policy of requiring non-\nfederal researchers to enter into a written agreement with NIST only if they work at its facilities\nfor longer than 10 days a year. NIST\xe2\x80\x99s primary concern with requiring written agreements for all\nvisiting researchers is that the time involved in preparing and finalizing an agreement may deter\nshort-term visiting researchers. However, our concern is that there is not sufficient consideration\ngiven to controlling visitor access to materials, equipment, and information.\n\nWe believe that the main risks identified by NIST\xe2\x80\x94protection of intellectual property rights,\nsafeguarding proprietary information, and potential liability for personal and property\ndamages\xe2\x80\x94that led to written agreements for long-term visiting researchers also apply to short-\nterm researchers. In addition, because NIST does not keep a log or other record of visitors,\nNIST cannot determine whether it is in compliance with its own requirement to have written\nagreements with researchers who stay longer than 10 days. We believe that, at a minimum, NIST\nshould require its laboratories to keep a log of all non-federal researchers who visit its facilities\nbut do not have a written agreement with NIST. This information should provide additional\nprotection against the risks of not having written agreements.\n\nDocumenting access to proprietary\ninformation and valuable equipment\n\nNIST is required by law to ensure the security of proprietary material. Relevant laws and\nregulations include the Economic Espionage Act, the Trade Secrets Act, and the Department\xe2\x80\x99s\nPersonnel Security Manual. In addition, the Department\xe2\x80\x99s Physical Security Manual provides\nprocedures for permitting access to facilities and safeguarding government-owned property. We\ndid not review how well NIST implements these laws and regulations. We only evaluated\nwhether informal collaborations with non-federal researchers violate security regulations and\nunnecessarily expose NIST to the risk of disclosing protected information and having valuable\nproperty stolen or damaged. Considering recent security problems with short-term visitors at\nother federal laboratories,2 we have concerns about the lack of controls over visiting researchers\nworking at NIST without an agreement.\n\nWe observed two potential security weaknesses in NIST\xe2\x80\x99s current practice of permitting informal\ncollaborations with non-federal researchers. First, visiting researchers may obtain unauthorized\naccess to proprietary material. In fiscal year 1997, NIST had 127 agreements with non-federal\nparties that prohibited the unauthorized disclosure of any proprietary information exchanged. The\nactual amount of proprietary information may be limited, but the existence of any such material is\n\n\n        2\n         Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons\nLaboratories, GAO/RCED-97-229, September 25, 1997.\n\n                                                    3\n\x0cof concern to us. Considering that visiting researchers generally have free access to most, if not\nall, areas of NIST laboratories, sensitive materials may not be properly protected.\n\nSecond, NIST\xe2\x80\x99s lack of access controls places expensive equipment and other property at risk of\nbeing stolen and makes recovery of these items more difficult. Over the past several years,\nNIST\xe2\x80\x99s Gaithersburg facilities have experienced increased incidents of petty theft as the\nsurrounding area has continued to develop. The Department\xe2\x80\x99s Office of Security is in the process\nof reviewing NIST\xe2\x80\x99s physical, information, and personnel security. NIST possesses a substantial\namount of specialized and costly equipment. If equipment is stolen or damaged by a visiting\nresearcher, NIST may not be able to identify all of the people who may have spent a substantial\namount of time working with or around the equipment.\n\nBecause of its mission, NIST has determined that it should have a higher degree of openness in\ndealing with the public than most other government agencies. However, NIST must maintain a\nbalance between meeting its security responsibilities and interacting with the public. We are\nconcerned that NIST cannot determine or estimate how many visiting researchers are working at\nits facilities and therefore is not sufficiently aware of the associated risks. A record of visiting\nresearchers would allow NIST to determine who had access to certain facilities if equipment is\nmissing or damaged or if there is a claim that an unauthorized person had access to proprietary\nmaterial. In addition, a record could potentially be a deterrent to someone intending to steal or\ndamage NIST property and could aid in the recovery of lost property.\n\nMinimizing the Administrative Burden\n\nKnowing how many short-term researchers use its facilities would allow NIST to better quantify\nand perhaps even reduce the risks of not always requiring written agreements. NIST could also\nuse the information as a management tool to help determine whether these collaborations are\nwithin its mission and an appropriate use of the laboratories\xe2\x80\x99 resources. Keeping track of these\nvisiting researchers would also provide the information needed for NIST to periodically reassess\nits policy of not requiring formal agreements for these short-term researchers.\n\nThe limited additional burden of implementing a record-keeping system would not outweigh its\nadvantages. Unlike the processing of written agreements, keeping a log of visitors does not\nrequire significant administrative time. In fact, implementation at the division level would be fairly\nsimple. The NIST employee hosting a non-federal researcher could record basic information\nabout the visitor, such as name, employer, citizenship, and purpose and date of the visit. The\ninformation should then be consolidated at the laboratory level for management\xe2\x80\x99s use. Because\nwe are suggesting that NIST employees record the information about short-term visitors, it is also\nunlikely that these researchers would be discouraged from collaborating with NIST.\n\nAt least one laboratory (the Electronics and Electrical Engineering Laboratory) currently collects\nand reports its informal interactions with outside researchers. The laboratory records interactions\nat the division level and periodically consolidates the data for the entire laboratory. Information\nsuch as the name of the visitor, visitor\xe2\x80\x99s affiliated institution, nationality, dates visited, and\n\n\n                                                  4\n\x0csponsoring NIST employee are recorded. We believe this is a good practice that should be\nfollowed by the other NIST laboratories. In implementing our recommendation, we stress that\nNIST should require its divisions and laboratories to focus on recording informal collaborations\nthat involve substantive laboratory work.\n\nAt our exit conference for this review, we were told that NIST plans to implement a new\nrequirement for all foreign and domestic researchers who perform laboratory research for any\nlength of time. These visitors may sign a written agreement or provide basic personal\ninformation, such as name, citizenship, and employer, that NIST will store centrally. We believe\nthat this policy could be responsive to our recommendation if implemented properly. We request\nthat NIST provide more detail about which visitors this policy will apply to, the types of\ninformation that will be collected, and the method of implementation.\n\nRecommendation\n\nWe recommend that the NIST Director require the agency\xe2\x80\x99s laboratories to record informal\ninteractions with non-federal researchers where work is performed in NIST laboratory facilities\nand there is no written agreement with the researcher. Data should be collected at the division\nlevel and consolidated at the laboratory level. This additional data should be used by NIST to\nperiodically evaluate its policy of not requiring formal agreements for these short-term\nresearchers.\n\n\nIn response to our draft report, NIST agreed with our recommendation presented in the report.\nNIST\xe2\x80\x99s response states that the recommendation will be resolved as a matter of course by\ncontinuing implementation of the newly developed policies and procedures on foreign and\ndomestic guest researchers. We have requested a copy of an action plan to address our\nrecommendation.\n\n\nAttachment\n\ncc:    Bruce Mattson, Program Coordinator, NIST Industrial Partnerships Program\n       Michael R. Rubin, NIST Council\n       Marilyn Khan, NIST Audit Liaison\n\n\n\n\n                                                5\n\x0c                                Attachment\nNIST\xe2\x80\x99s Response To The Report\n\n\n\n\n             6\n\x0c7\n\x0c8\n\x0c'